From 3dec49b2e4205eddd53475cf4047ba74393aa3c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Thu, 13 Mar 2025 09:36:42 +0100
Subject: [PATCH] chore(qemu): enable secure boot

---
 utils/qemu-uefi-tpm.nix | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix
index 0193a27..4fcadfd 100644
--- a/utils/qemu-uefi-tpm.nix
+++ b/utils/qemu-uefi-tpm.nix
@@ -12,7 +12,7 @@ pkgs.writeShellApplication {
 
   text =
     let
-      tpmOVMF = pkgs.OVMF.override { tpmSupport = true; };
+      tpmOVMF = pkgs.OVMF.override { tpmSupport = true; secureBoot = true; };
     in
     ''
       set -ex
@@ -26,6 +26,9 @@ pkgs.writeShellApplication {
         --tpm2 \
         --log file="$state/swtpm.log",level=20
 
+      cp ${tpmOVMF.variables} "$state"
+      chmod 700 "$state/OVMF_VARS.fd"
+
       qemu-system-x86_64 \
         -enable-kvm \
         -machine q35,accel=kvm \
@@ -37,7 +40,7 @@ pkgs.writeShellApplication {
         -serial chardev:char0 \
         -mon chardev=char0 \
         -drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \
-        -drive "if=pflash,format=raw,unit=1,readonly=on,file=${tpmOVMF.variables}" \
+        -drive "if=pflash,format=raw,unit=1,file=$state/OVMF_VARS.fd" \
         -chardev socket,id=chrtpm,path="$state/swtpm-sock" \
         -tpmdev emulator,id=tpm0,chardev=chrtpm \
         -device tpm-tis,tpmdev=tpm0 \